Am 21.02.2014 um 10:32 schrieb selinux-request@lists.fedoraproject.org:
Send selinux mailing list submissions to selinux@lists.fedoraproject.org
To subscribe or unsubscribe via the World Wide Web, visit https://admin.fedoraproject.org/mailman/listinfo/selinux or, via email, send a message with subject or body 'help' to selinux-request@lists.fedoraproject.org
You can reach the person managing the list at selinux-owner@lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of selinux digest..."
Today's Topics:
- Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
- RE: Correct way to use booleans (Jayson Hurst)
- Re: semanage error when upgrading to RHEL 6.5 (Miroslav Grepl)
- Re: Correct way to use booleans (Miroslav Grepl)
- Re: how to change the context of running process (Miroslav Grepl)
- Re: How to properly setup my domains security contexts in the domain.fc file? (Miroslav Grepl)
Message: 1 Date: Thu, 20 Feb 2014 14:30:06 -0800 (PST) From: Andy Ruch adruch2002@yahoo.com To: Daniel J Walsh dwalsh@redhat.com, Fedora SELinux selinux@lists.fedoraproject.org Subject: Re: semanage error when upgrading to RHEL 6.5 Message-ID: 1392935406.63212.YahooMailNeo@web124903.mail.ne1.yahoo.com Content-Type: text/plain; charset=utf-8
On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2014 04:44 PM, Andy Ruch wrote:
On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2014 03:46 PM, Andy Ruch wrote:
On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/19/2014 11:56 AM, Andy Ruch wrote: > Hello, > > I have a policy that was originally written for RHEL 6.2.
I’m now
> trying to upgrade to RHEL 6.5 and I’m having problems with
semanage. I
> can install a fresh RHEL 6.5 system with the targeted
policy and
> everything works fine. I then uninstall the targeted policy
and
install
> my policy and I can’t link the linux user and selinux user. > >>> semanage user –a -R sysadm_r -R staff_r -r
s0-s0:c0.c1023
>>> testuser_u useradd -G wheel testuser semanage login
-a -r
>>> s0-s0:c0.c1023 -s testuser_u testuser > libsemanage.dbase_llist_query: could not query record value
> /usr/sbin/semanage: Could not query user for testuser > > > I have the RHEL 6.5 source code for libsemanage and the
targeted
policy
> but so far I haven't been able to find differences that
would
affect
> this problem. Could someone please point me in the right
direction
>
as
> far as what semanage is expecting? What would prevent
libsemanage
>
from
> querying for the user? > > Thanks, Andy > > > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > What does semanage login -l and semanage user -l show?
-----BEGIN
PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird
iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
SIGNATURE-----
semanage user -l shows:
Labeling MLS/ MLS/ SELinux User Prefix MCS Level
MCS
Range SELinux Roles
root user s0 s0-s0:c0.c1023 system_r
system_u
user s0 s0-s0:c0.c1023 system_r testuser_u user s0 s0-s0:c0.c1023 staff_r sysadm_r user_u user s0 s0 user_r
semanage login -l shows:
Login Name SELinux User MLS/MCS Range
root root s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
--
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
And the testuser exists in /etc/passwd? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
-----END PGP SIGNATURE-----
Yes. The commands "semanage user -a" and "useradd"
appear to work fine.
It's the "semanage login -a" that has trouble.
And this is with the stock policycoreutils or a rebuilt one? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H =gXXZ
-----END PGP SIGNATURE-----
Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy and selinux-policy-targeted RPMs and add my policy RPMs.
Message: 2 Date: Thu, 20 Feb 2014 16:54:18 -0700 From: Jayson Hurst swazup@hotmail.com To: Daniel J Walsh dwalsh@redhat.com, "selinux@lists.fedoraproject.org" selinux@lists.fedoraproject.org Subject: RE: Correct way to use booleans Message-ID: BLU172-W3728825C096AEDF18A065DD59A0@phx.gbl Content-Type: text/plain; charset="iso-8859-1"
I see the same thing on RHEL 6.5.
So should I assume this is a bug in SElinux/OS? Even so is there a way that I can work around it? Would there be anything wrong with transitioning files I create in tmp from tmp_t to user_tmp_t?
Date: Thu, 20 Feb 2014 14:21:55 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Correct way to use booleans
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2014 01:41 PM, Jayson Hurst wrote:
I am running in permissive mode, my module is in permissive mode.
I am actually running on RHEL 6.0.
So in this scenario even though my daemon is authenticating the user it is not responsible for context that the krb5cc_xxx file gets created as?
The login daemons should be creating this file with the correct context. user_tmp_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMGVdMACgkQrlYvE4MpobPm+QCfX1s69csbRU8xfg8m796N+9Si cZYAmgP8bmo4vV+ug10x8tlxKSr6rTqI =2zvU -----END PGP SIGNATURE-----
selinux@lists.fedoraproject.org
-
Lucrecia Trippel